Cert-manager: ErrVerifyACMEAccount Post : unsupported protocol scheme "" in v0.3.0-alpha.1

Created on 18 Apr 2018  Â·  17Comments  Â·  Source: jetstack/cert-manager

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:
I was trying out v0.3.0-alpha.1. The pod starts fine. I created cluster issuer as follows

apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # The ACME staging api URL
    server: "https://acme-staging.api.letsencrypt.org/directory"

    # Email address used for ACME registration
    email: "[email protected]"

    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-staging-cluster-key-pair

    # Enable the HTTP-01 challenge provider
    http01: {}

Just after creating, the cert-manager pod started to print these logs continuously

I0418 16:39:53.132938       1 controller.go:138] clusterissuers controller: syncing item 'letsencrypt-staging'
I0418 16:39:53.133006       1 acme.go:159] getting private key (letsencrypt-staging-cluster-key-pair->tls.key) for acme issuer kube-system/letsencrypt-staging
I0418 16:39:53.133673       1 logger.go:67] Calling GetAccount
I0418 16:39:53.556914       1 sync.go:40] Error initializing issuer: Post : unsupported protocol scheme ""
E0418 16:39:53.562217       1 controller.go:147] clusterissuers controller: Re-queuing item "letsencrypt-staging" due to error processing: Post : unsupported protocol scheme ""

On running kubectl get clusterissuer -o yaml, this is the output

Spec:
  Acme:
    Email:  [email protected]
    Http 01:
    Private Key Secret Ref:
      Key:
      Name:  letsencrypt-staging-cluster-key-pair
    Server:  https://acme-staging.api.letsencrypt.org/directory
Status:
  Acme:
    Uri:
  Conditions:
    Last Transition Time:  2018-04-18T16:39:47Z
    Message:               Failed to verify ACME account: Post : unsupported protocol scheme ""
    Reason:                ErrRegisterACMEAccount
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                Age                 From          Message
  ----     ------                ----                ----          -------
  Warning  ErrInitIssuer         12m (x12 over 14m)  cert-manager  Error initializing issuer: Post : unsupported protocol scheme ""
  Warning  ErrVerifyACMEAccount  3m (x15 over 14m)   cert-manager  Failed to verify ACME account: Post : unsupported protocol scheme ""

What you expected to happen:
The cluster issuer should have got accepted and the cert-manager to not keep queuing.

How to reproduce it (as minimally and precisely as possible):

Install v0.3.0-alpha.1. Create cluster issue as above.

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version): v1.10.1
  • Cloud provider or hardware configuration**:
  • Install tools: helm v2.8.2
  • Others:
kinbug
Source
picture diwakar-s-maurya
👍2

Most helpful comment

There currently isn't documentation for it.

An example:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: wildcard-tls
spec:
  dnsNames:
  - '*.domain.com'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: wildcard-tls
  acme:
    config:
    - dns01:
        provider: cloudflare
      domains:
      - domain.com

We need to get this example, with maybe a little bit of extra text to
explain, into the reference docs for ACME certificates before cutting 0.3
itself.

picture munnerz on 18 Apr 2018
👍31

All 17 comments

Thanks for the report, and for trying out the alpha release!

You need to update your issuer to use the v2 Let's Encrypt endpoint instead of v1.

We have updated the documentation tutorials on the release-0.3 section of the docs: http://docs.cert-manager.io/en/release-0.3/tutorials/acme/http-validation.html

We also mention it in the release notes.

I think we could probably catch this input acme server, and set the condition to say you should update your issuer endpoint. It'd probably save confusion again...

munnerz picture munnerz on 18 Apr 2018

Thanks. It worked. https://acme-staging-v02.api.letsencrypt.org/directory

@munnerz Can you also point to the documentation for creating wildcard Certificate yaml? I think its WIP. If yes, please share an trivial example yaml here, if possible.

diwakar-s-maurya picture diwakar-s-maurya on 18 Apr 2018

There currently isn't documentation for it.

An example:

apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: wildcard-tls
spec:
  dnsNames:
  - '*.domain.com'
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod
  secretName: wildcard-tls
  acme:
    config:
    - dns01:
        provider: cloudflare
      domains:
      - domain.com

We need to get this example, with maybe a little bit of extra text to
explain, into the reference docs for ACME certificates before cutting 0.3
itself.

munnerz picture munnerz on 18 Apr 2018
👍31

Ran into this when switching from kube-lego. That error message hah, had me thinking my yaml quoting was wrong for a bit. Using the alpha.2 for the wildcard support since we've been hit by the domain rate limits consistently the last few weeks.

cehoffman picture cehoffman on 2 May 2018

I have opened #545 which should fix this and provide a helpful message to users for how they can fix their Issuers 😄

munnerz picture munnerz on 9 May 2018
👍1

I get the same issue. I am using the latest helm chart available for cert-manager (v 0.3.0) Can you please help?

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
  name: v2
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: [email protected]
    privateKeySecretRef:
        name: v2
    http01: {}

Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning ErrVerifyACMEAccount 25s (x9 over 8m) cert-manager-controller Failed to verify ACME account: Head : unsupported protocol scheme ""
Warning ErrInitIssuer 25s (x9 over 8m) cert-manager-controller Error initializing issuer: Head : unsupported protocol scheme ""

chetanku picture chetanku on 24 May 2018
👍2

Got the same issue:

I0525 02:09:21.563141       1 sync.go:40] Error initializing issuer: Head : unsupported protocol scheme ""
E0525 02:09:21.573598       1 controller.go:145] issuers controller: Re-queuing item "medapps/letsencrypt-prod" due to error processing: Head : unsupported protocol scheme ""
sysradium picture sysradium on 25 May 2018

Same here:

Events:
  Type     Reason                Age              From                     Message
  ----     ------                ----             ----                     -------
  Warning  ErrVerifyACMEAccount  1m (x5 over 3m)  cert-manager-controller  Failed to verify ACME account: Head : unsupported protocol scheme ""
  Warning  ErrInitIssuer         1m (x5 over 3m)  cert-manager-controller  Error initializing issuer: Head : unsupported protocol scheme ""

Followup: removing cert-manager completely and re-installing the latest version fixed it for me.

fradeve picture fradeve on 25 May 2018

Both with v2 and v3 ...

sysradium picture sysradium on 25 May 2018

I also have this problem after a fresh helm install today.

anderspetersson picture anderspetersson on 25 May 2018

Running helm update solved my problems.

anderspetersson picture anderspetersson on 25 May 2018
🎉1

I uninstalled cert-manager and reinstalled with helm. It worked.

chetanku picture chetanku on 25 May 2018

Yes don't think a helm upgrade will do it. You need to
helm delete --purge <release-name>
then reinstall. Fixed for me.

Although this issue suggests deleting your "ACME accounts private key" is a more precise solution...

holmesb picture holmesb on 28 May 2018

I nuked cert-manager and installed it again. Seems to work now. But this instability is a little bit worrying :/

sysradium picture sysradium on 28 May 2018

I had the same issue and I believe it is related to helm.

Today I tried cert-manager. Version 0.3.0 was published a week ago.

I noticed helm installed an older version - probably because it had a package cache from some time ago:
helm ls NAME REVISION UPDATED STATUS CHART NAMESPACE cert-manager 1 Thu May 31 07:21:11 2018 DEPLOYED cert-manager-0.2.10 kube-system
I helm delete --purge and helm update and then re-installed with same command helm install cert-manager stable/cert-manager

helm ls NAME REVISION UPDATED STATUS CHART NAMESPACE cert-manager 1 Thu May 31 08:14:19 2018 DEPLOYED cert-manager-v0.3.1 kube-system

ieugen picture ieugen on 31 May 2018
🎉1

Same as above.
I helm del --purge cert-manager and helm update and then re-installed with same command helm install.

Could be worth adding a 'helm update' hint in the docs?

necevil picture necevil on 6 Sep 2018

We now have an actual upgrading guide which includes this step here:
https://cert-manager.readthedocs.io/en/master/admin/upgrading/index.html

On Thu, 6 Sep 2018 at 19:17, necevil notifications@github.com wrote:

Same as above.
I helm del --purge cert-manager and helm update and then re-installed
with same command helm install.

Could be worth adding a 'helm update' hint in the docs?

—
You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/491#issuecomment-419192404,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMbPxUvFEJh41XSyluCGWm5H7I7__9jks5uYWbCgaJpZM4TabUE
.

munnerz picture munnerz on 6 Sep 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jakubknejzlik picture jakubknejzlik  Â·  3Comments
jbouzekri picture jbouzekri  Â·  4Comments
matthew-muscat picture matthew-muscat  Â·  4Comments
Azylog picture Azylog  Â·  3Comments
timblakely picture timblakely  Â·  4Comments